updated filelist storage so userid is not used directly

server/routes/filelist.js

@@ -1,9 +1,14 @@
+const crypto = require('crypto');
 const config = require('../config');
 const storage = require('../storage');
 const Limiter = require('../limiter');
 
-function id(user) {
-  return `filelist-${user}`;
+function id(user, kid) {
+  const sha = crypto.createHash('sha256');
+  sha.update(user);
+  sha.update(kid);
+  const hash = sha.digest('hex');
+  return `filelist-${hash}`;
 }
 
 module.exports = {
@@ -11,8 +16,9 @@ module.exports = {
     if (!req.user) {
       return res.sendStatus(401);
     }
+    const kid = req.params.id;
     try {
-      const fileId = id(req.user);
+      const fileId = id(req.user, kid);
       const contentLength = await storage.length(fileId);
       const fileStream = await storage.get(fileId);
       res.writeHead(200, {
@@ -29,11 +35,12 @@ module.exports = {
     if (!req.user) {
       return res.sendStatus(401);
     }
+    const kid = req.params.id;
     try {
       const limiter = new Limiter(1024 * 1024 * 10);
       const fileStream = req.pipe(limiter);
       await storage.set(
-        id(req.user),
+        id(req.user, kid),
         fileStream,
         null,
         config.max_expire_seconds

server/routes/index.js

@@ -88,8 +88,8 @@ module.exports = function(app) {
   );
   app.get(`/api/exists/:id${ID_REGEX}`, require('./exists'));
   app.get(`/api/metadata/:id${ID_REGEX}`, auth.hmac, require('./metadata'));
-  app.get('/api/filelist', auth.fxa, filelist.get);
-  app.post('/api/filelist', auth.fxa, filelist.post);
+  app.get('/api/filelist/:id(\\w{16})', auth.fxa, filelist.get);
+  app.post('/api/filelist/:id(\\w{16})', auth.fxa, filelist.post);
   app.post('/api/upload', auth.fxa, require('./upload'));
   app.post(`/api/delete/:id${ID_REGEX}`, auth.owner, require('./delete'));
   app.post(`/api/password/:id${ID_REGEX}`, auth.owner, require('./password'));